[Fedora] Re: bind lame servers
David G. Miller
dave at davenjudy.org
Fri May 25 05:36:31 UTC 2007
Jason L Tibbitts III <tibbs at math.uh.edu> wrote:
> "AMK" == Ashley M Kirchner <ashley at pcraft.com> writes:
>
>
> AMK> Yes, it's called Asia. Several dozen IPs were querying my DNS
> AMK> non-stop.
>
> You should not allow recursive queries from outside of your network.
>
> I do this by having an internal view with a "match-clients" set to my
> internal network, and then later a default view with
> match-clients { any; };
> recursion no;
> although I suspect this is not the simplest way to accomplish this
> because it necessitates duplicating all of the zone declarations that
> are visible in both views.
>
> - J<
I've been pretty happy with the following approach:
[root at fraud ~]# cat /etc/named.conf
acl "trusted" {
localhost;
192.168.0.0/16;
72.19.169.230;
};
...
zone "local.davenjudy.org" IN {
type master;
file "local.davenjudy.org";
allow-query {
trusted;
};
allow-update {
trusted;
};
};
...
The allow-query clause means that anyone outside of my network get a
query refused. The weird thing is that logwatch says I get a couple of
queries for internal boxes every day. If someone is persistent, they
get a firewall rule in their honor.
Cheers,
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
More information about the fedora-list
mailing list